CVE-2026-40188
Path Traversal in goshs SFTP Rename Allows Directory Escape
Publication date: 2026-04-10
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goshs | goshs | 2.0.0 |
| goshs | goshs | 2.0.0 |
| goshs | goshs | 2.0.0 |
| goshs | goshs | From 1.0.7 (inc) to 2.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1314 | The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in goshs allows unauthorized file writes outside the intended SFTP root directory, potentially enabling remote code execution by overwriting critical files. This unauthorized access and modification of files could lead to violations of data integrity and security requirements mandated by common standards and regulations such as GDPR and HIPAA.
Specifically, the ability for an attacker with low privileges to write files arbitrarily on the filesystem may result in exposure or tampering of sensitive data, which conflicts with the principles of data protection, confidentiality, and integrity required by these regulations.
Therefore, if goshs is used in environments subject to such compliance standards, this vulnerability could cause non-compliance due to insufficient access controls and lack of proper sanitization, risking unauthorized data manipulation or disclosure.
Can you explain this vulnerability to me?
CVE-2026-40188 is a high-severity vulnerability in the goshs SFTP server, a SimpleHTTPServer written in Go. The issue occurs because the SFTP rename command sanitizes only the source file path but fails to sanitize the destination path. This means an attacker can rename a file to a location outside the intended SFTP root directory.
Specifically, the source path is properly sanitized, but the destination path is used directly without validation, allowing unauthorized file writes anywhere on the filesystem accessible by the server process.
This flaw enables an attacker with low privileges and no user interaction to write files arbitrarily outside the root directory, potentially leading to system compromise.
How can this vulnerability impact me? :
This vulnerability allows remote attackers with low privileges to write files outside the designated SFTP root directory without user interaction.
By exploiting this, an attacker could overwrite critical system files such as SSH keys or configuration files, potentially leading to remote code execution (RCE) and full system compromise.
The impact is significant because it changes the security scope, allowing unauthorized modification of system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized file rename operations that write files outside the intended SFTP root directory. Specifically, look for SFTP rename commands where the destination path is outside the root directory, which indicates exploitation attempts.
Since the vulnerability involves the SFTP rename command improperly sanitizing the destination path, you can detect it by checking SFTP server logs for rename requests with destination paths that are absolute or traverse outside the root.
Additionally, after applying the patch, the server logs and webhook notifications will report blocked rename requests with invalid target paths, which can be used to detect exploitation attempts.
- Check SFTP server logs for rename commands with destination paths outside the root directory.
- Monitor for webhook notifications or logs indicating blocked SFTP rename requests due to failed path sanitization (if patched).
- Use commands like `grep 'rename' /path/to/goshs/logfile` to find suspicious rename operations.
- Use network monitoring tools to capture SFTP traffic and analyze rename commands for suspicious destination paths.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the goshs SFTP server to version 2.0.0-beta.4 or later, where the vulnerability is fixed by sanitizing the destination path in the rename command.
If upgrading immediately is not possible, monitor and block rename requests with destination paths outside the root directory by implementing custom logging or firewall rules to detect and prevent exploitation attempts.
Ensure that the SFTP server listens on the correct dedicated SFTP port (`opts.SFTPPort`) as fixed in the patch to avoid unintended exposure.
- Upgrade goshs to version 2.0.0-beta.4 or later.
- Apply patches that sanitize the rename destination path and block invalid requests.
- Monitor logs and webhook notifications for blocked rename requests.
- Restrict network access to the SFTP server to trusted users only.